Spent the last few months looking at hack post-mortems, and something stands out:
The contracts weren't the problem.
The exploits came through keys, signers, and infra.
A multisig where signers shared a device.
A deployer key that leaked.
A frontend pointed at a compromised RPC.
An npm dependency nobody pinned.
You can pay for three audits, get a clean report on every one, and still wake up to a drained treasury because someone's laptop was compromised or a deployer key sat in a .env file for too long.
That's the gap we built our new Multisig & OpSec Audit around at @QuillAudits_AI.
We look at the stuff a contract review doesn't touch:
• how your multisig is actually set up (not just that one exists)
• proxy, timelock, and governance wiring
• admin functions that can move funds or change parameters
• where keys live, how they rotate, how you'd revoke one
• signer hygiene: devices, networks, how you sign
• the infra layer: RPCs, frontend, DNS, CI/CD, API keys
• external surface: oracles, bridges, price feeds, dependencies
The contract is usually the hard thing to break.
The humans, keys, and pipelines around it aren't.
Today marks 8 years of QuillAudits.
Most Web3 security firms didn't exist 8 years ago. Most won't exist 8 years from now.
We've built through 3 bear markets, 2 exploit waves, and the full evolution of smart contract attacks from simple reentrancy to cross-protocol economic exploits.
1,500+ protocols. $3B+ protected.
The biggest lesson from 8 years and 1,500+ engagements :
One team, one method, one pass doesn't cut it when you're protecting hundreds of millions in user funds.
So we rebuilt the model.
Multi-Layer Audit → four independent security layers, delivered in the same timeline as a traditional audit:
> Senior auditors who've collectively reviewed 1,500+ protocols
> AI security agents trained on 5,000+ real exploits since 2017
> Independent bug bounty through curated security researchers
> Continuous monitoring, because threats don't stop at deployment
4 layers. Each one catches what the others miss.
Web3 has a $100T addressable market if institutions show up. They won't show up until security is embedded in every layer, every transaction, every deployment, the way HTTPS is embedded in the internet.
That's the problem worth solving for the next 8 years.
QuillAudits built the foundation, QuillShield is the next chapter — an AI security agent that brings what we learned from 1,500+ manual audits into every developer's workflow, before code ever hits mainnet.
8 years in. Still early.
On my way to Mumbai for @ethmumbai representing @QuillAudits_AI and exploring the intersection of Web3 security × AI.
If you're attending the event or around Mumbai, happy to meet and talk web3 security, research, and the future of decentralized tech. 🤝
OWASP Smart Contract Top 10 (2026) confirms the pivot: Business logic vulnerabilities are now #2.
Attackers no longer chase reentrancy. They break economic invariants in governance and reward mechanics that pass every static check. The attack surface has shifted from Solidity patterns to unmodeled protocol assumptions.
Spec first, then code.
Meta insight : What this means for Web3 security in the next 6–12 months:
Basic code exploits are dropping thanks to better Ai tooling, but total losses aren't. We saw a staggering $3.4B stolen in 2025. The hack volume didn't collapse, it consolidated into massive hits.
Why? Attackers aren't bothering to break your math when they can just steal your keys. The next wave targets ops surfaces (keys, configs, multisig UI), economic design, and the AI arms race on both sides.
Protocols that treat security as a continuous hybrid pipeline:
-Human expertise
-Domain-specific AI
-Formal invariants
-Zero-trust ops
...will survive.
Feb 2026 reality check for auditors: AI-generated code is shipping bugs straight to mainnet.
Moonwell's cbETH oracle returned $1.12 instead of ~$2,200 → $1.78M–$2.7M drained via bad debt.
Hack Analysis shows multiple commits co-authored by AI tools with zero end-to-end integration testing.
Lesson from the trenches: Treat LLM output as untrusted pseudocode. Mandate:
-Human review of every AI-suggested change
-Full fork + fuzz + invariant testing on-chain simulation
-Explicit oracle bounds + sanity checks in prod
We're one sloppy prompt away from the next incident.
Glad to be part of this amazing QuillShield team and Very Proud to be working alongside such talented folks @KernelHarsh@_babarhashmi@iChitranshu@cryptanu@0xSlowbug@turvec_dev@kalp_eth@phoenix244001
Excited to share some impactful findings from QuillShield in recent Solidity contracts scans!
Our tool successfully detected:
• Share tracking desynchronization → potential double-spending
• Incorrect bit extraction from storage → broken price logic
• Missing sequencer uptime checks → stale oracle pricing
These are not just typical bugs, they’re business logic & arithmetic-level vulnerabilities that can lead to serious fund risks if unnoticed.
We’re continuously improving our detection engine to:
→ Catch more edge cases
→ Reduce false positives
→ Go deeper into protocol-level risks
We’re getting sharper every day ⚔️
Introducing QuillShield 🛡️
We’ve been building QuillShield for the last year @QuillAudits.
QuillShield is a security agent swarm embedded inside the developer workflow.
Think of it like an always-on Web3 code review layer for every PR, it catches critical vulnerabilities, surfaces the exact bug + risk, and helps you improve fixes faster over time.
So far, QuillShield has already helped our team crack bounties on leading bug bounty platforms.
The next step is public benchmarks and transparent performance metrics.
We’re preparing to put it on the world map the right way.
Note: The current platform (including the automatic patching flow) is live today, but we’ll be deprecating it soon. We’re rebuilding QuillShield from scratch with a completely fresh approach, which is why there haven’t been major updates in the last 3–4 months.
More updates coming soon. 👀
Our team analyzed Solana architecture for prediction market risks. Here's what we found:
No major exploit has happened yet but the vulnerability patterns are clear.
Most teams are building with Ethereum assumptions on Solana infrastructure.
On Ethereum, finality is straightforward.
On Solana, optimistic confirmation happens in milliseconds but true finality takes 32+ slots. That difference matters enormously for resolution logic.
On Ethereum, contract calls are relatively unlimited.
On Solana, cross-program invocation depth is capped at four levels. Settlement logic that works in testing can fail in production.
On Ethereum, state persists indefinitely.
On Solana, accounts below rent thresholds get garbage collected. A six-month market can lose its entire state.
These same patterns cost Mango Markets $116M in 2022.
The lesson isn't that Solana is less secure. It's that security on Solana requires Solana-native thinking.
Different architecture. Different threat model. Same consequences for getting it wrong.
What a month January 2026 has been for us at @QuillAudits_AI .
We wrapped up 9 audits in a single month, and the diversity of work made it even more exciting. From DePIN and AI agent–driven protocols to a project positioning itself as the gateway to a global golf blockchain ecosystem, the range was incredible.
We also dug deep into Web3 gaming protocols and several staking and vault contracts.
Different narratives, different threat models, same focus on security and correctness.
Grateful for the teams that trusted us and the long nights that paid off.
February, we’re ready🚀
Hey folks, hope everyone’s doing well.
We at @QuillAudits_AI are looking to collaborate with 2–3 experienced Solidity fuzzing experts on a project-to-project, part-time basis.
If you have hands-on experience with smart contract fuzzing (Foundry/Echidna, invariant testing, etc.), feel free to DM me.
Let’s talk 🚀
Would love to help. Smart contract security is usually an afterthought for early builders, but it shouldn't be.
We can offer YC founders expedited audits, access to our AI agent, and some office hours. Let's make security accessible from day one.
@QuillAudits_AI , We've been securing crypto projects since 2018. 1400+ audits later across Ethereum, Solana, and beyond, my team has caught 10,000+ vulnerabilities before they could do damage.
Most Web3 founders stop at smart contract audits.
Attackers don’t.
Here’s the security model every Web3 team needs to understand:
How Web3 Security Actually Works 👇
Smart contract audit answers:
“Is the protocol logic safe?”
dApp pentest answers:
“Can I bypass everything around the protocol and still break it?”
Both are required. One without the other is incomplete security.
From an audit firm’s perspective, liquidation engines are one of the most critical and highest-risk components.
That’s why our audits focus heavily on liquidation edge cases.
Key edge cases include:
1]Rounding at HF ≈ 1 is causing premature or blocked liquidations
2]Partial liquidations that don’t restore solvency → repeated bonus extraction
3]Dust debt left after liquidation that can never be liquidated, but keeps accruing interest
4]Self-liquidation via secondary accounts farming liquidation bonuses
5]Liquidation bonus exceeding realisable market value -> liquidators disengage
6]Oracle timing mismatch: price updates newer than debt/interest state → false liquidations or missed ones
7]Stale-but-valid oracle prices (no freshness checks) during downtime or L2 halts
8]Reentrancy via collateral token hooks (ERC777/callbacks)
9]Governance parameter changes are causing instant mass liquidations without grace periods
Liquidations fail at boundaries, timing, and incentives; not on the happy path.
Closed our biggest Q4 deal at a conference in Abu Dhabi.
I asked their CTO: "What worries you about v2?"
"Liquidation engine edge cases."
Showed him we'd caught that exact bug class in a similar protocol.
Know your niche.
Show your work.
Speak their language.
Leading audits at @QuillAudits_AI since 2021 has been a masterclass in Web3 cycles.
📈 2021 was the DeFi peak - volume everywhere.
📉 2022 was the crash - pressure, uncertainty, consolidation.
That year didn’t break us. It defined us.
🌱 2023 is where the graph starts climbing again; not because the market made it easy, but because the team stayed focused, disciplined, and mission-driven.
📊 2024 and 2025 show consistent, year-on-year growth: proof of trust earned, operational maturity, and a team that knows how to scale.
The upward curve from 2023 → 2025 tells the real story: a team that stayed together in the lows and grew stronger in the highs - securing Web3 throughout.
Huge kudos to the team @cryptanu@turvec_dev@phoenix244001@Nilima_Nair03@bigrkg@raopreetam_ who stayed together through the lows, kept securing Web3 when it mattered most, and turned consistency into compounding growth. 🙌
Carrying this momentum into 2026. Same mission. Bigger scale. 🛡️🚀
This is exactly why we built @QuillAudits_AI Monitor.
Across many hacks we’ve analyzed, the pattern before the exploit is often the same:
-The same issues resurface on mainnet
-And eventually, they show up as incidents
-Funds are lost, users suffer, and trust is broken
QuillMonitor exists to document these outcomes, turning repeated security failures into learnings the ecosystem can’t ignore.
It’s a curated Web3 hack database that helps devs and security researchers:
-Filter incidents by chain, attack type, and protocol category
-Trace exploits back to their root causes
-Spot recurring attack patterns across ecosystems
-Build and audit with historical context, not hindsight
In Web3, security failures rarely start at the exploit.
They start much earlier, in how feedback is handled.
Humility compounds.
Ego gets archived.
Choose wisely.
The protocols that listen to security researchers vs the ones that argue with every finding:
One group builds lasting projects.
The other group ends up in @QuillAudits_AI's Monitor.
Ego is expensive in Web3.
Humility compounds.
Choose wisely.
@0xcuriousapple@tempo msg.value and address(this).balance are meaningless here. Just use TIP20.transferFrom() and TIP20.balanceOf() for everything.
The token users pick for gas is handled at protocol level, your contract doesn't see it.
Web3 lost $2.54B in 2025 across 89 hacks.
One phishing attack on Bybit = $1.4B (55% of ALL losses)
The math is brutal:
• 3 phishing incidents = $1.4B
• 21 code vulns = $408M
• 21 key compromises = $350M
Hardware wallets and MFA aren't optional anymore. They're survival tools.
The house always wins, unless you secure the keys.
Full report: https://t.co/fNjpVzlD9w
As 2025 comes to a close, what an incredible year it’s been for us @QuillAudits_AI
✅ 200+ audits completed
🐞 1200+ issues identified, including ~300 High & Critical findings
Worked across ecosystems: Monad, Sonic, Soneium, Avalanche, Plume Chain, Scroll, Tron, Avitus, XRP, Solana, Sway, Arbitrum, Optimism, Aptos, MST Chain, Neura Network, Sui, Aptos, Base, Polygon, Ethereum & more...
Audited a wide spectrum of protocols: Perp DEXs, Prediction Markets, ETFs, DeSci, DePIN, RWAs, Stablecoin ecosystems, Vaults, On-chain Agents, GameFi, Cross-chain Protocols, Lending/Borrowing, DAO infrastructure, L2 chains, Wallet & dApp pentesting, and complex DeFi strategies, hedging protocols
From low to extremely high-complexity codebases, this year pushed our expertise to the next level.
We deep dived into R&D and launched the Uniswap v4 playbook, the RWA Playbook, multi-layer audit methodology, and it truly changed the game for us.🔥
Grateful for an amazing 2025, stepping into 2026 with 2× energy to secure more protocols, explore more chains, uncover deeper issues, and break assumptions across codebases and languages.
Onward 🛡️✨